Sudden User Authentication Rejection as a result Compatibility - error

Clement Ogedengbe c.ogedengbe at worc.ac.uk
Mon Feb 23 16:02:07 CET 2015


Thanks all for your contribution. For clarity:  

All users are rejected, regardless of client platform or os.

I switched over the NAS to the secondary server when the primary server started to fail and the secondary server (which has similar configuration with one failing) is authentically users successfully. The two servers use the same server certificate.

Please find attached the debug log.

It's really weird!


Best Regards

Clement Ogedengbe

-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+c.ogedengbe=worc.ac.uk at lists.freeradius.org] On Behalf Of A.L.M.Buxey at lboro.ac.uk
Sent: 23 February 2015 12:30
To: FreeRadius users mailing list
Subject: Re: Sudden User Authentication Rejection as a result Compatibility - error

Hi,

> come to light in a big way this morning), "nothing changed anywhere", 
> it had been working fine for years and the issue affects machines with 
> Win7 and higher.  Phones, Macs etc. all authenticate just fine.
> 
> I haven't progressed much further down the troubleshooting path, so 
> don't have much concrete to suggest, but if it is a similar problem, 
> the server is not at fault and it is a client issue as others have 
> already suggested.
> 
> I'm about to embark on debugging in the depths of the Windows 802.1x 
> client; if I do find anything I'll post here for the sake of the 
> archives.

as already emntioned, there have been windows updates that have gone out recently that have caused many a mischief. we've not been affected (probably because we have our own CA for this...) - I suspect a certificate CA update on the clients which has meant the root CA or an intermediate are no longer known or trusted correctly.  if the RADIUS server pushed out it cert and ALL the chain, then local intermediates SHOULDNT be an issue...but if the root is no longer correctly known then that would be ka-blam!

easiest way to finger this...find/identify a troublesome client, visit said machine, delete the eduroam connection profile/details and reconnect - see what it says about the RADIUS cert/trust.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: radius-reject-log.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150223/fa439d80/attachment-0001.txt>


More information about the Freeradius-Users mailing list